HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

3 Configuring and loading IPv4 filter rules
3.1 IPv4 filter rules configuration file
The default HP-UX IPFilter IPv4 filter rules file is /etc/opt/ipf/ipf.conf. To specify an alternate
IPv4 filter rules file name, set the IPF_CONF parameter in the IPFilter startup file, /etc/
rc.config.d/ipfconf.
When HP-UX IPFilter is first installed, the /etc/opt/ipf/ipf.conf rules file is empty. Appendix B
(page 100) contains example rules files you can use to create your ruleset.
3.1.1 Format
Entries in IPFilter rule files must meet the following requirements:
Each rule must be contained on one line. Line continuation characters are not supported.
IPFilter interprets all text to the right of a number symbol (#) as a comment.
Extra white space is allowed and encouraged to keep the rules readable.
3.1.2 Rule order and processing
Rules are processed in order from top to bottom of the rules file. By default, IPFilter uses the last
filter rule that matches the packet it is evaluating. For example, a rules file contains the following
entries:
block in all
pass in all
The first rule (block in all) blocks all packets, and the last rule (pass in all) allows all
packets. Any given packet will match both rules, but the last matching rule takes precedence.
IPFilter will apply the last rule that matches the packet (pass in all) and allow it to pass.
You can modify IPFilter rules processing by using the quick keyword in a rule to force IPFilter to
immediately apply a matching rule and stop processing rules. See Section 3.4.3 (page 19) for
more information.
TIP: Many administrators find it easier to use the quick keyword in each rule and then order
the rules from most specific to least specific.
You can also modify IPFilter rules processing by configuring rule groups. See Section 3.7 (page 27)
for more information.
3.2 Basic rule syntax: specifying the action, direction, protocol, IP
addresses, and ports
A simplified syntax for IPFilter rules is as follows:
block|pass in|out [proto protocol] ip_selector
The ip_selector can use the from and to keywords to specify IP addresses and the port
keyword to specify port numbers:
block|pass in|out [proto protocol] from ip_address[/prefix] [port =
port] to ip_address[/prefix] [port = port]
Alternatively, the ip_selector can be the keyword all to specify all IP addresses:
block|pass in|out [proto protocol] all
The sections that follow describe the parameters and options for this simplified syntax. For the
complete IPFilter rule syntax, see ipf(5).
16 Configuring and loading IPv4 filter rules